FedoraRHEL Based

How To Install LogWatch on Fedora 43

r00t
8 minutes read

Install LogWatch on Fedora 43

If you manage a Linux server and you’re not actively reviewing your system logs, you’re flying blind. Security breaches, service failures, and disk problems all leave trails in your logs — but manually reading through /var/log/ every day simply isn’t realistic. That’s exactly where LogWatch steps in. In this guide, you’ll learn how to install LogWatch on Fedora 43, configure it for your environment, run your first report, and automate daily log summaries so nothing slips through the cracks.

LogWatch is a Perl-based, open-source log analysis and reporting tool that scans your system logs, filters the noise, and produces a clean, structured digest report. It supports output to the terminal, a file, or email — making it equally useful for a home lab server and a production cloud instance. Best of all, LogWatch on Fedora 43 setup requires no third-party repositories; it ships natively in Fedora’s official DNF package repository as version logwatch-7.13-2.fc43.

Whether you’re a beginner just getting comfortable with the terminal or an intermediate sysadmin looking to tighten up your monitoring stack, this Linux server tutorial walks you through every step clearly and completely.

Prerequisites

Before diving into the installation, make sure your environment meets the following requirements:

  • Operating System: Fedora 43 (physical machine, virtual machine, or cloud instance)
  • User Privileges: A user account with sudo access, or the root account directly
  • Internet Access: Required to pull packages from Fedora’s DNF repositories
  • Terminal Access: SSH or direct console access to your Fedora 43 system
  • Optional — Mail Server: If you want LogWatch to email reports, you’ll need a configured MTA such as Postfix
  • Basic terminal familiarity: You should be comfortable running commands and editing text files with nano or vim

Quick version check: Not sure if you’re on Fedora 43? Run this:

cat /etc/fedora-release

You should see output like Fedora release 43 (Forty Three).

Step 1: Update Your Fedora 43 System

Always start fresh. Before installing any new package, update your system to make sure all existing packages are at their latest versions and dependency trees are consistent.

Run the following command:

sudo dnf update -y

What this does: dnf is the Dandified YUM package manager — Fedora’s modern replacement for the legacy yum tool. The -y flag auto-confirms all prompts so the update runs without interruption.

Why this matters: Skipping this step is one of the most common causes of dependency resolution errors on RPM-based systems. A single outdated library can break a perfectly valid package install.

After the update completes, you’ll see a summary like:

Complete!

That means your system is ready for the next step.

Step 2: Install LogWatch on Fedora 43

Now let’s get LogWatch installed. Since it’s available directly in Fedora’s official repository, the installation is a single command.

sudo dnf install logwatch -y

What this does: DNF fetches the logwatch package along with any required Perl dependencies and installs them automatically. No manual dependency management needed.

Verify the Installation

Once the install finishes, confirm it worked:

logwatch --version

You should see something like:

Logwatch 7.13

You can also query the RPM database for full package details:

rpm -qi logwatch

This shows you the installed version, build date, and package description — useful confirmation that the right package landed on your system.

What Gets Installed

When DNF installs LogWatch, these are the key components that land on your system:

  • /usr/sbin/logwatch — the main executable binary
  • /usr/share/logwatch/ — default configuration files, Perl filter scripts, and service definitions
  • /etc/logwatch/conf/ — the local override configuration directory (this is where you’ll work)
  • /etc/cron.daily/0logwatch — a cron entry for automated daily runs (may or may not be created automatically depending on your setup)

Step 3: Understand the LogWatch File Structure

Before you start editing files, it pays to understand how LogWatch organizes its configuration. This is a two-tier system, and getting it wrong is a common beginner mistake.

Path Purpose
/usr/share/logwatch/default.conf/logwatch.conf Upstream default config — do not edit this
/etc/logwatch/conf/logwatch.conf Your local override file — edit this one
/usr/share/logwatch/scripts/services/ Perl scripts that parse per-service logs
/usr/share/logwatch/default.conf/services/ Default service definitions
/usr/share/logwatch/default.conf/logfiles/ Log file group definitions

The golden rule: Never edit /usr/share/logwatch/default.conf/logwatch.conf directly. That file belongs to the package manager. A future dnf update can overwrite it and wipe out all your changes.

Always make your customizations in /etc/logwatch/conf/logwatch.conf. If that file doesn’t exist yet, copy the default into place:

sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/logwatch.conf

Also make sure the config directory exists:

sudo mkdir -p /etc/logwatch/conf/

Step 4: Configure LogWatch on Fedora 43

This is where you shape LogWatch’s behavior to fit your environment. Open your local config file with your preferred editor:

sudo nano /etc/logwatch/conf/logwatch.conf

4a. Core Configuration Directives

Here are the most important settings to configure and what each one does:

# Where LogWatch sends its output
Output = mail          # Options: mail, stdout, file

# Email recipient for reports
MailTo = admin@yourdomain.com

# Email sender identity
MailFrom = logwatch@your-server-hostname

# Report verbosity level
Detail = Low           # Options: Low, Medium, High

# Which services to monitor
Service = All

# Date range to analyze
Range = yesterday

# Report format
Format = text          # Options: text, html

4b. Understanding Detail Levels

The Detail parameter controls how much information appears in each report:

  • Low — Best for production servers. Shows only significant events and anomalies.
  • Medium — A balanced view with moderate context. Good for staging environments.
  • High — Full verbose output. Useful for debugging, but overwhelming in daily use.

For most configure LogWatch on Fedora 43 deployments, Detail = Low is the right starting point. You can always bump it up later for specific troubleshooting sessions.

4c. Excluding Noisy Services

Some services generate large amounts of routine log entries that clutter your reports. You can exclude them by adding negative Service entries:

Service = "-http"
Service = "-eximstats"

The - prefix tells LogWatch to skip that service entirely. Add as many exclusions as your environment needs.

4d. Setting a Temporary Directory

LogWatch needs a temp directory to process logs. On Fedora 43, DNF typically handles this automatically, but you can define it explicitly:

TmpDir = /var/cache/logwatch

If the directory doesn’t exist, create it:

sudo mkdir -p /var/cache/logwatch

Save your configuration file when you’re done (Ctrl+O, then Enter, then Ctrl+X in nano).

Step 5: Run LogWatch Manually to Test

Before automating anything, always run LogWatch manually to verify that your configuration works as expected.

sudo logwatch --detail Low --range today

What this does: Runs LogWatch against today’s logs, applies your configured filters, and prints the report to the terminal (stdout).

You should see output that looks like this:

################### Logwatch 7.13 ####################
Processing Initiated: Sat Mar 07 2026
Date Range Processed: today
Detail Level of Output: 0
Type of Output/Format: stdout / text
Logfiles for Host: your-server-hostname
######################################################

--------------------- pam_unix Begin ------------------------
sudo:
  Sessions Opened:
    admin -> root: 3 Time(s)
---------------------- pam_unix End -------------------------

--------------------- SSHD Begin ------------------------
Users logging in through sshd:
  admin:
    192.168.1.10: 2 times
Failed logins from:
  unknown: 192.168.0.50 (1 time)
---------------------- SSHD End -------------------------

--------------------- Disk Space Begin ------------------------
Filesystem       Size  Used Avail Use% Mounted on
/dev/sda1         50G   18G   30G  37% /
---------------------- Disk Space End -------------------------

###################### Logwatch End #########################

More Useful Manual Run Examples

Run a High-detail SSH-only report for yesterday:

sudo logwatch --detail High --range yesterday --service sshd

Run a 7-day rolling report to stdout:

sudo logwatch --detail Med --range "between -7 days and today" --output stdout

Important note for Fedora 43: If you see no output, your journald might not be writing logs persistently to /var/log/. Fix this by editing /etc/systemd/journald.conf and setting:

Storage=persistent

Then restart journald:

sudo systemctl restart systemd-journald

Step 6: Automate LogWatch with Cron

LogWatch doesn’t run as a background daemon — it’s a one-shot tool that you schedule. The most common approach is a daily cron job.

Check for an Existing Cron Entry

First, see if DNF already created one during installation:

ls /etc/cron.daily/
cat /etc/cron.daily/0logwatch

If 0logwatch exists and looks correct, you may not need to do anything else.

Create a Cron Job Manually

If no entry exists, create one via the root crontab:

sudo crontab -e

Add this line to send a daily report at 6:00 AM:

0 6 * * * /usr/sbin/logwatch --output mail --mailto admin@yourdomain.com --detail Low

Alternatively, drop a script file directly into /etc/cron.daily/:

sudo nano /etc/cron.daily/logwatch

Paste in:

#!/bin/bash
/usr/sbin/logwatch --output mail --mailto admin@yourdomain.com --detail Low

Save it, then make it executable:

sudo chmod +x /etc/cron.daily/logwatch

Verify the cron daemon is running — Fedora 43 uses cronie as its cron backend:

systemctl status crond

If it’s not active, start and enable it:

sudo systemctl enable --now crond

Step 7: Set Up Email Delivery (Highly Recommended)

A report that sits in a terminal buffer is useless if you’re not watching it. Getting LogWatch to email you daily is the move that makes this tool genuinely valuable.

Install and Enable Postfix

Postfix is the standard MTA on Fedora and the simplest option for local mail delivery:

sudo dnf install postfix -y
sudo systemctl enable --now postfix

Update Your LogWatch Config for Email

Open /etc/logwatch/conf/logwatch.conf and set:

Output = mail
MailTo = you@yourdomain.com
MailFrom = logwatch@your-server-hostname
Format = text

Test Email Delivery

Send a test report right now:

sudo logwatch --output mail --mailto you@yourdomain.com --detail Low --range today

Check your inbox. If the email doesn’t arrive within a minute or two, check your mail queue:

mailq

Cloud server tip: AWS, GCP, and Azure all block outbound port 25 by default. If you’re on a cloud instance, configure Postfix to use an SMTP relay service (SendGrid, Mailgun, or Amazon SES) on port 587 with STARTTLS instead of sending directly.

Step 8: Advanced Customization

Once LogWatch is running, there’s plenty of room to tailor it further.

Monitor Only Specific Services

Run a targeted report for a single service without touching your config:

sudo logwatch --service sshd --detail High

Enable HTML-Formatted Reports

If you’re reading reports in an email client that renders HTML, switch the format:

Format = html

HTML reports are easier to skim quickly, especially for High detail levels.

Add Custom Service Filters

LogWatch supports custom Perl scripts for applications it doesn’t natively cover — like Nginx, custom daemons, or Docker container logs. Place your custom filter scripts in:

/etc/logwatch/conf/services/

This keeps them separate from the upstream scripts and safe from package updates. The same applies to custom log file group definitions:

/etc/logwatch/conf/logfiles/

Troubleshooting Common LogWatch Issues on Fedora 43

Even a straightforward tool like LogWatch can hit snags. Here are the five most common issues and how to fix them:

  1. No output generated when running LogWatch
    • Check that /var/log/ contains recent log files: ls -lt /var/log/
    • Confirm persistent journald logging is enabled (see Step 5 above)
    • Run with debug mode for verbose output: sudo logwatch --debug 10
  2. Email reports are not arriving
    • Verify Postfix is running: systemctl status postfix
    • Check the mail queue for stuck messages: mailq
    • Confirm your MailTo address is set correctly in the config file
    • On cloud servers, check if port 25 is blocked by your provider’s firewall rules
  3. “Permission denied” errors when running LogWatch
    • Always run LogWatch with sudo — it needs root access to read protected log files like /var/log/secure
    • Check file permissions: ls -la /var/log/
  4. “No such file or directory” for the config file
    • The /etc/logwatch/conf/ directory may not exist. Create it and copy the default config:
    sudo mkdir -p /etc/logwatch/conf/
sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
  5. LogWatch reports show no SSHD or security events
    • On Fedora 43, SSH authentication events may go to journald instead of a flat log file. Make sure persistent journald logging is on, and check that /var/log/secure exists. If it doesn’t, install rsyslog:
    sudo dnf install rsyslog -y
sudo systemctl enable --now rsyslog
Tags
r00t
8 minutes read
Photo of r00t

r00t

r00t is a dedicated and highly skilled Linux Systems Administrator with over a decade of progressive experience in designing, deploying, and maintaining enterprise-grade Linux infrastructure. His professional journey began in the telecommunications industry, where early exposure to Unix-based operating systems ignited a deep and enduring passion for open-source technologies and server administration.​ Throughout his career, r00t has demonstrated exceptional proficiency in managing large-scale Linux environments, overseeing more than 300 servers across development, staging, and production platforms while consistently achieving 99.9% system uptime. He holds advanced competencies in Red Hat Enterprise Linux (RHEL), Debian, and Ubuntu distributions, complemented by hands-on expertise in automation tools such as Ansible, Terraform, Bash scripting, and Python.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button